CVE-2025-38006 in Linuxinfo

Summary

by MITRE • 06/18/2025

In the Linux kernel, the following vulnerability has been resolved:

net: mctp: Don't access ifa_index when missing

In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show".

The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index).

BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/02/2026

The vulnerability CVE-2025-38006 resides within the Linux kernel's Multi-Channel Text Protocol implementation, specifically in the mctp_dump_addrinfo function located in net/mctp/device.c at line 128. This issue represents a classic uninitialized memory access flaw that occurs when the kernel attempts to process network interface address information without proper validation of the input structure. The problem manifests when the ifa_index field is accessed without ensuring that the struct ifaddrmsg has been properly initialized, leading to potential information disclosure or system instability. The vulnerability was identified through kernel memory sanitization tools and demonstrates a clear violation of secure coding practices where developers assume memory initialization without explicit validation.

The technical flaw stems from the improper handling of the ifa_index field within the MCTP (Multi-Channel Text Protocol) address dumping mechanism. When mctp_dump_addrinfo processes network interface address information, it attempts to filter interfaces based on ifa_index values, but this filtering operation only occurs when a valid struct ifaddrmsg is provided. Without proper validation, the code accesses uninitialized memory locations, creating a potential attack surface where malicious actors could exploit this uninitialized memory access to gain information about the kernel's internal state or potentially cause system crashes. This pattern aligns with CWE-457: Use of Uninitialized Variable, which specifically addresses scenarios where uninitialized memory is accessed, leading to undefined behavior and potential security implications.

The operational impact of this vulnerability extends beyond simple memory access issues to potentially affect network stability and system integrity in environments utilizing MCTP protocols. Systems running kernel versions affected by CVE-2025-38006 may experience unpredictable behavior when network interface address information is being dumped, particularly in scenarios involving DHCP clients like dhcpd or network utilities such as busybox ip addr show commands. The vulnerability is particularly concerning in network management contexts where MCTP is used for device communication and system monitoring, as it could allow attackers to extract sensitive kernel memory information or cause denial of service conditions through carefully crafted network interface queries.

The root cause of this vulnerability can be traced to inadequate input validation within the kernel's network subsystem, specifically in how it handles interface address information during MCTP address dumping operations. This flaw demonstrates a failure in the kernel's defensive programming practices, where proper bounds checking and initialization verification should have been implemented before accessing the ifa_index field. The issue is further exacerbated by the fact that existing userspace programs are already expected to provide valid ifa_index values, suggesting that the kernel implementation should be more robust in handling edge cases where invalid or uninitialized data might be passed through the network interface subsystem. From an ATT&CK perspective, this vulnerability could be leveraged as part of a reconnaissance phase to gather kernel memory layout information, potentially supporting more sophisticated attacks.

Mitigation strategies for CVE-2025-38006 should focus on implementing proper input validation and memory initialization checks within the mctp_dump_addrinfo function. The recommended approach involves adding explicit validation to ensure that the struct ifaddrmsg is properly initialized before accessing the ifa_index field, thereby preventing the uninitialized memory access pattern. System administrators should prioritize applying kernel updates that contain the patched version of the MCTP implementation, as the fix typically involves adding conditional checks to verify the presence of valid initialization data before proceeding with interface filtering operations. Additionally, monitoring network interface address dumping operations and implementing proper kernel memory sanitization testing can help identify similar vulnerabilities in other kernel subsystems. Organizations should also consider implementing network segmentation and access controls to limit exposure to potential exploitation of this class of vulnerability, particularly in environments where MCTP protocols are actively utilized for device communication and system management functions.

Responsible

Linux

Reservation

04/16/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!